1. get a token which is either html markup or text.  
   stop when none are left.
2. it the token is text, add it to the output
2. drop the tag if it's not allowed
3. drop each attibute not allowed
4. repeat